RE: protecting DHCP servers

From: Brian (
Date: 05/20/02

Date: Mon, 20 May 2002 12:58:44 -0700 (PDT)
From: Brian <>
To: akopps@CSUA.Berkeley.EDU

> > I am wondering what is the correct way to restrict connections to the
> > dhcp server to come only from trusted subnets assuming that I don't
> > have administrative access to the routers and the server connects
> > directly to all trusted subnets. I am trying to use these rules:

I generally create a 'sanity' chain on my input ruleset that gets run
first. It would look something like this:


iptables -N sanity

iptables -I INPUT -i ${UNTRUST_IF} -j sanity
iptables -I FORWARD -i ${UNTRUST_IF} -j sanity

iptables -A sanity -s ${BAD}
iptables -A sanity -s ${BAD}
iptables -A sanity -s ${BAD}
iptables -A sanity -s ${BAD}
iptables -A sanity -s ${BAD}
iptables -A sanity -j RETURN

(This is obviously not a whole ruleset, and I know the 224 with /8 mask is
wrong, I dont recall off the top of my head what the real range is for
that). Using a ruleset such as this would help prevent some of those
spoofing attacks.

A few notes on how you might elaborate on this: fix the 224 netmask, add
some limits to prevent ping/syn/whatever floods (do something like
'iptables -p icmp -m limit -j ACCEPT;iptables -p icmp -j DROP').

Hopefully that will give you a few ideas...